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— The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )KI Responsive to communication(s) filed on 18 January 2004 . 
2a)D This action is FINAL. 2b)K This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) [X] Claim(s) 1-18 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) |EI Claim(s) 1-18 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) [x] The specification is objected to by the Examiner. 

10) 1X1 The drawing(s) filed on 31 May 2001 is/are: a)Q accepted or b)KI objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1 .121 (d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)Q None of: 

1 .□ Certified copies of the priority documents have been received. 

2.Q Certified copies of the priority documents have been received in Application No. . 

3-D Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1 . Claims 1-18 have been examined. 

Drawing 

2. The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(5) 
because they include the following reference sign(s) not mentioned in the 
description: Example item "82" in fig. 4. Correction of all similar errors is 
requested. 

3. The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(5) 
because they do not include the following reference sign(s) mentioned in the 
description: Example page 4, last line of [0018], item "block 65".; Correction of all 
similar errors is requested. 

Specification 

4. The abstract of the disclosure is objected to because : Typo error. 
Please replace the Title "[METHOD AND SYSTEM FOR GLOBALLY 
RESTRICTINGCLIENT ACCESS TO A SECURE WEB SITE]" with "METHOD 
AND SYSTEM FOR GLOBALLY RESTRICTING CLIENT ACCESS TO A 
SECURE WEB SITE". 
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Please double check the entire specification with respect to any typo error that 
may exist. 

Correction is required. See MPEP § 608.01(b). 

Information Disclosure Statement PTO-1 449 

5. The Information Disclosure Statement submitted by applicant and 
received on 07/10/2001 , the exact same one (previously submitted IDS) received 
on 08/07/2001 and 03/14/2003 has been considered. Please see attached PTO- 
1449. 

Note: The records of IFW files disclose the submission of IDS on 07/10/2001 and 
exact duplicate submitted again on 08/07/2001 . 

Claim Rejections - 35 USC §112 

6. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter, which the applicant regards as his invention. 

7. Claims 6 and 15 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject 
matter which applicant regards as the invention. 

In claims 6 and 15 the phrase "synchronize client passwords" is indefinite and 
unclear. It is not clear where is the relevancy of number of client "passwords" in 
light of Applicant's claim language. Is the synchronization are based on number 
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of passwords used by the client?, if yes, where are the basis for using the 
number of passwords by the client? 



• Examiner considers synchronization of the "client's login password" 

among more than one password repository for the purpose of examination 
in harmony with intervening claims 5 and 14. 



Claim Rejections - 35 USC § 102 



8. The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 1 02 that form the basis for the rejections under this section made in this 



Office action: 



a. A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b) by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in sectior , 
351(a) shall have the effects for purposes of this subsection of an application filed in the Uni ted .States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 



Claims 1, 5-9, 10 and 14-18 are rejected under 35 U.S.C. 102(e) as being 



anticipated by Broadhurst et al ( 6,205,480 B1). 



As per claims 1 and 10 Broadhurst et al ( 6,205,480 B1 ) teach a system and 
method for globally restricting client access to a secured web site (see col.2, 
lines 25-34 disclose system and method of access to a web serve) 
comprising: a first web server configured to: receive a client login (see fig.1 
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where it disclose a system for access to web server, databases and 
external application that includes plurality of clients and servers; see col.2, 
lines 25-33 where upon authentication in which user is logged access to 
resources via a web server is allowed that is corresponds to configuration 
of the web server to receive user or client); and return a cookie to the client 
containing an access credential wherein the access credential contains at least 
one role-based attribute specific to the client (see coL2, lines 35-41 where 
user's identity is mapped into network credential which includes a user 
role that corresponds to Applicants role-based attribute and access 
credential wherein the attribute specific to the user are access values such 
as id or password; coL3, lines 24-31 disclose the definition of some of the 
role attribute and the access to resources based on those role attribute by 
the client; col.3, line 45^47 disclose the network and user credential is 
formed into a cookie; col.4, lines 31-39 disclose the return of the cookie to 
the client by storing into user web browser and it is disappear once the 
browser is closed by the user or the client); and a second web server hosting 
a secured web site having an associated security expression wherein the 
security expression contains at least one role-based access privilege for the web 
site (see col.2, lines 33-35 where the first server corresponds to Applicant's 
second web server where it also has role based access privilege as part of 
security expression), the second web server configured to: receive the cookie 
containing the access credential in response to an HTTP request from the client 
(see col.4, lines 40-60 where upon request by the user the cookie is created 
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and send to the second web server for access to resources; col.3, line 45- 
47 disclose the network and user credential is formed into a cookie; fig.1 
disclose access to static HTML pages and web server environment; HTTP 
is the protocol used by web server environment for request and access; 
see also col.2, lines 17-31 with respect to HTTP); and if the access credential 
contains a role-based attribute in common with the security expression, grant the 
client access to the secured web site (see col.3, lines 18-32 where it disclose 
based on access credential contained in a role access is granted). 

As per claims 5 and 14 Broadhurst et al ( 6,205,480 B1) teach the system and 
the method of claims 1 and 10 wherein role based attributes are assigned to the 
client based on the client's login password (see col.2, lines 32-41; col.3, lines 
23-31 where attribute role are based on login of the client using ids such as 
password). 



As per claims 6 and 15 Broadhurst et al ( 6,205,480 B1 ) teach the system and 
the method of claims 5 and 14 wherein the first web server is additionally 
configured to synchronize client passwords among more than one password 
repository (see 112 rejection above and examiner interpretation of client 
passwords; col.2, lines 33-41 disclose the authentication of the client 
based on a user id such as password; line 42-48 disclose the 
synchronization of the password by the web server among numerous 
protected resources that corresponds to Applicant's more than one 
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password repository by single authentication; the single authentication for 
access to number of secured resources corresponds to Applicant's 
synchronization of the systems for accepting credential upon one time 
authentication). 

As per claims 7 and 16 Broadhurst et al ( 6,205,480 B1 ) teach the system and 
the method of claims 1 and 10 wherein the web site contains a web-based 
application (see col. 3, lines 42-48; col. 4, lines 40-47 where it disclose the 
applications or web-based internally or externally). 

As per claims 8 and 17 Broadhurst et al ( 6,205,480 B1 ) teach the system and 
the method of claims 1 and 10 wherein the access credential expires after a 
predefined period of time (see col. 4, lines 32-39 where the disappearance of 
the cookie by closing the browser corresponds to access credential 
expiration and predefined period of time corresponds to the life of the 
cookie up to the time the browser is closed). 

As per claims 9 and 18 Broadhurst et al ( 6,205,480 B1 ) teach the system and 
the method of claims 1 and 10 wherein the access credential is encoded (see 
col.4, lines 27-32 where it disclose the access credential are formed into a 
cookie and where the cookie is encoded). 



Claim Rejections - 35 USC § 103 
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10. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) patent may not be obtained though the invention is not identically disclose or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to 
a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

11. Claims 2-3 and 11-12 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Broadhurst et al ( 6,205,480 B1) in view of Sampson et al 
(6,339,423 B1) cited in the IDS by Applicant. 

As per claims 2 and 11 Broadhurst et al ( 6,205,480 B1) teach all limitation of 
the claims as applied to the system and the method of claims 1 and 10 above but 
do not disclose explicitly the access credential and security expression 
additionally contain a token attribute for locally defined access to the secured 
web site. However Sampson et al (6,339,423 B1) disclose the access credential 
and security expression additionally contain a token attribute for locally defined 
access to the secured web site (see fig.4A and fig.2;col.5, lines 33-60 where 
credential and security also contain token attribute to different domains). It 
would have been obvious to one of ordinary skilled in the art at the time the 
invention was made to utilize Sampson's token attribute into Broadhurst's 
cookies in order to create a mechanism that uses a single access control system 
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and method for managing access to resources that belongs to multiple domains 
for verification before transmission of the cookies. 

As per claims 3 and 12 Broadhurst et al ( 6,205,480 B1) teach all limitation of 
the system and the method of claims 2 and 1 1 above but do not explicitly 
disclose the token attribute contains permission re-granting capability. However 
Sampson et al (6,339,423 B1) disclose the token attribute contains permission 
re-granting capability (see col.5, lines 14-24 where it disclose authentication 
without receiving access control cookies using token where authentication 
without receiving access control cookies corresponds to Applicant's re- 
granting capabilities). It would have been obvious to one of ordinary skilled in 
the art at the time the invention was made to utilize Sampson's token attribute 
into Broadhurst's cookies in order to create a mechanism that uses a single 
access control system and method for managing access to resources that 
belongs to multiple domains for verification before transmission of the cookies. 

12. Claims 4 and 13 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Broadhurst et al ( 6,205,480 B1) in view of Wood et al 
(6,668,322 B1). 

As per claims 4 and 13 Broadhurst et al ( 6,205,480 B1) teach all limitation of 
the system and the method of claims 1 and 10 as applied above but do not 
explicitly disclose the access credential is digitally signed. However Wood et al 



Application/Control Number: 09/681 ,737 Page 
Art Unit: 2132 

(6,668,322 B1) disclose the access credential is digitally signed (see col.7, lines 
64-67 and col. 8, lines 1-8 where it disclose digitally signing of access 
credential). It would have been obvious to one of ordinary skilled in the art at the 
time the invention was made to utilize Wood's digital signature scheme in 
Broadhurst's access credential encoding in order to allow contents of the session 
credential to be read by anyone and changed by no one. 

Conclusion 

13. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: 

U.S. Patent No. US (6,421 ,768 B1) teach method and system for authentication 
and single sign-on using cryptographically assured cookies in a distributed 
computer environment. 

U.S. Patent No. US (6,374,359 B1) teach dynamic use and validation of HTTP 
cookies for authentication. 

U.S. Patent No. US (6,301,661 B1) teach enhanced security for applications 
employing downloadable executable content. 

U.S. Patent No. US (6,725,376 B1) teach method of using an electronic ticket and 
distributed server computer architecture for the same. 
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14. Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Kambiz Zand whose telephone number is 
(703) 306-4169. The examiner can normally reached on Monday-Thursday (8:00- 
5:00). If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Gilberto Barron can be reached on (703) 305-1830. The 
fax phone numbers for the organization where this application or proceeding is 
assigned as (703) 872-9306. Information regarding the status of an application 
may be obtained from the Patent Application Information Retrieval (PAIR) 
system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about 
the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic Business Center 
(EBC) at 866-217-9197 (toll-free). 




Kambiz Zand 



09/07/04 



